LiveCode security

[edoardotognoni]

Hi all,
i'm new in this forum and i think it's time to ask you something.
I decided to use LiveCode as the argument of my thesis and i have been asked to focus on security/privacy of data.
I'm trying to find all the functions and ways that LiveCode uses for keep our private data from beeing discovered:
let me give an example: There is the AES_ENCRYPT function, the option to use SSL in db connections..
Other example: I've never tried to wireshark a communication between liveCode remote apps, or db communications. If someone ever tried i would appreciate to know how the result was.

If you know other possibilites to keep a good level of security, please let me know.

Sorry for my bad English, i'm from Italia.

Regards
Edoardo

[Mark]

Hi Edouardo,

Communications between database servers and LiveCode happen in plain text, unless you use a secure connection, e.g.by tunnelling a connection to a server over ssh.

I think you will get more and more useful answers if you ask more specific questions.

Kind regards,

Mark

[edoardotognoni]

Thanks for your answer.
Think of this: I have an application which works with a LOCAL database. In this database there is a table which describe every account for my app: Username,password,adrress,name, surname ecc ecc..
What would you do to make it the more secure you can? The only thing that comes in my mind for example, is to encrypt each data in the db and once i retrieve waht i want in my app, decrypt them with AES_DECRYPT for example. That is the only thing that i would do.

There are any better way to keep safe data?

Best regards
Edoardo

[Mark]

Hi Edoardo,

Why would you care about security, if the app and the database both run locally? The only danger is that an unauthorised person gets access to the computer. If you're using MySQL, then you will want to set a root password for the MySQL database to keep unwanted visitors out. You need to make sure that your web server doesn't give access to the database. E.g. if you use phpMyAdmin, you need to set the necessary passwords and be careful with setting permissions. Naturally, network sharing could give direct access to all files, so you need to be careful with that too.

All these things have nothing to do with LiveCode, unless you're making a server application with LiveCode. If you do, you just need to make sure that only authorised people can connect to your server application.

So, I'm a little confused and wonder what exactly it is that you're looking for.

Kind regards,

Mark

[edoardotognoni]

Yes, if the db is local on the machine the only way to make it secure is by having a strong password and all of other things you mentioned.
Other point of view: For example if i want to save my data on files, is there a way to encrypt them?

If the db is not local: a cooworker of mine, told me that with wireshark could find the db and username passowrd of a connection establisehd with a Livecode app. Because, as you said, it appeared in plain text. Is there any way to resolve this?

Best regards
Edoardo

[Mark]

Hi Edoardo,

You can encrypt your data before writing it to a file.

You can use a secure connection (SSH/VPN) to connect to a remote database, or use PHP, which can do a few checks before accepting queries, or use PHP over a secure connection (https, SSL).

Kind regards,

Mark

[edoardotognoni]

Ok but this does not involve LiveCode. If i have a LiveCode app server which accept sockets and db connections, and all goes in plain text, the only way to hide everything is to encrypt before let it pass, and decrypt on server side, am i right? Or there are other ways?
Another example is: How to get rid of sql injection?

Regards
Edoardo

[Mark]

Hi Edoardo,

You can find more information about SQL Injection here.

If you're making a server app in LiveCode, then you can implement your own security measures. Yes, these would probably include encryption of your queries. However, you might also be able to use a secure connection over SSH, which indeed doesn't involve LiveCode per se.

Kind regards,

Mark

[FourthWorld]

http://xkcd.com/327/

[igorBUSvRhc]

Hi, Edoardo,

Security is a very complex area, where there is never a 'one solution fits all' answer. You have to know what you are doing, otherwise you can easily expose and compromise your (or your client's) data. I've had a situation, for instance, where a client's disgruntled ex-employee maliciously used an sql injection attack to destroy his employer's database. Luckily, we had backups, but still lost a few day's of input and changes. That goes to show, that even on a *locally hosted* server, you should implement basic security protocols.

I am a newbie in LiveCode, but have found that it has the basic tools I need to implement quite complex security measures. I have done my own little research on LiveCode's encryption functions, and on how to use them for security communications, and have posted about it here:

http://forums.runrev.com/phpBB2/viewtop ... =8&t=11733

I hope this may be useful.

[edoardotognoni]

Thank you very much for your answers! They are very useful(Even the one of FourthWorld )!! Once i will have the time i will read the one posted by igor (Thank you very much). So, as i see, the best way of keep apps protected is to manage user inputs, even from sql injection and cross site scripting.

Am i right?

[FourthWorld]

I think you're on the right track. Keep in mind that security is a process, not a single thing one does. As you go forward you'll find other opportunities for ever greater security. Always assume that hackers know more than you do.

And stay on top of updates, to MySQL, PHP, and anything else you're using. I've seen many a site hacked because they didn't install freely available updates for the systems they use.

[Mark]

Hi,

I think that from my previous answers, it is quite clear that security isn't just a LiveCode thing. You need to make sure that your hardware can't be accessed by unauthorised people, that your network connection is secure, and that the software doesn't leave any doors open. Scripting in LiveCode, PHP and MySQL to keep track of malicious user input is only a small part of the job. You need to take everything into account, from the key to the office room to the data structure in your database.

Kind regards,

Mark

[edoardotognoni]

Here i am,
I've read everything. Let's say that the article with the rsa and aes discussions was VERY useful. Exactly what i needed
Anyway, it seems that there are no way to prevent from an SQL-injection attack. We can not(i think) manipulate user's inputs, since (as mentioned) there could be quotes, semi-colon ecc ecc. Bad thing.

[Mark]

Hi,

I think you're wrong. PHP is pretty much the same as LiveCode in this respect and PHP is the most important scripting language of all time until now if it comes to handling user input and MySQL queries. I'm sure you can do at least a serious attempt at preventing SQL injection attacks from being successful.

Kind regards,

Mark